Creating Privacy Online

One of the books I read last year was Cory Doctorow’sLittle Brother, about a band of high-school hackers who take down the seriously-overstepping, bad-guy Homeland Security Department.

Sound ludicrous? It’s a compelling, well-written and well-characterized “day-after-tomorrow” sort of science fiction. Many of the technologies used in the novel exist, and those that may not are completely believable, as are the spooktastic Homeland Security oafs, the determined underdog high school kids, and the heroine journalist.

Facebook’s attitude toward privacy and the recent release of Firesheep have led me to take a serious look at the unencrypted traffic I sent over the various networks I use, as well as the data that I put out there for public consumption. Below are some tools for you to do the same. They are not infallible; they are not security measures per se, like a firewall or virus scanner would be. What they do is provide you with the more private space that you might assume when sitting alone pouring your heart out to a friend.

Email

Use an email system that forces encryption. An encrypted web page’s URL begins with https:// instead of http://. To force gmail through encryption, click Settings, then “Always Use https” next to “Browser Connection.” Many desktop email clients (Mac Mail, Outlook, Thunderbird) also support encryption. User your Google to figure it out.

Take end-to-end encryption one step further with PGP (“Pretty Good Privacy”). The PGP key exchange party in Little Brother is one of my favorite scenes.

Unencrypted wireless Internet access is a tough one. Data is sent out over the Internet--wireless or not--in bite-sized chunks called “packets.” Normally, a wireless network card grabs only the packets specifically addressed to it. Formerly the domain of systems administrators and network security experts, packet-sniffing technology has been brought to the masses with a Firefox plug-in called Firesheep. Installed on a computer whose wireless network card is capable of “promiscuous mode,” Firesheep grabs all the data swarming to and from an unencrypted wireless access point (WAP). Even though the initial login process for popular websites like Facebook and flickr is encrypted, it is stunningly common for the cookie that is exchanged afterward to remain unencrypted. When these cookies are sent over an unencrypted wireless connection, they can be grabbed by Firesheep. With a single click, a Firesheep user can hijack a Facebook or flickr account and not only see private data but actually become that user. Shortly after Firesheep was released, a Firefox plugin called Blacksheep was released, designed to combat Firesheep use.

Caveats

The ocean of security and privacy issues regarding Internet use is vast, and I am no expert. The tips above help ensure that information coming into and going out of your computer is more private. Except for PGP and verified OTR, there is no guarantee that the person on the other end is using encryption. Information in an encrypted IM session or email message can often still be copied and emailed through an unencrypted connection or saved to a file on a computer’s hard drive.

Implications for libraries

When bouncing ideas off friends for this post, I suggested that libraries offering unencrypted wifi are doing patrons a disservice. One response was that supporting encrypted wireless access would place too large a burden on already-overworked IT staff. That I can understand, but I’ve used encrypted wifi in too many coffee shops not to be a bit skeptical of this answer. Jason Griffey pointed out, and I agree, that the situation is largely different in academic libraries, where campus IT, not library IT, is typically responsible for network security. Campus wireless networks are often tied to university authentication systems to ensure that this limited resource--like all resources in higher education--is reserved for the campus community and its guests.